Certbot
adding/removing domains
the approach is fundamentally the same because the list of domains (-d) to add to a certificate is explicit
certbot certonly --cert-name hostname.domain.com -d hostname.domain.com -d domain.com -d another.domain.com
If running Apache, the apache plugin verification is probably what you need
using with email and dynamic DNS
certbot renew --dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/certbot/rfc2136.ini --manual-cleanup-hook /usr/local/bin/generate-email-pem.sh
/etc/letsencrypt/certbot/rfc2136.inineeds config for the DNS authoritative server as well as a key to be able to make updates. If using with Courier IMAP, then
/usr/local/bin/generate-email-pem.shis used to concatenate the key and certfile together and copy the resulting file into a place for the server to read.
troubleshooting.
Sometimes the renewals fail because the challenge can’t be verified on the DNS servers. The following may be seen:
Attempting to renew cert (gbweb.net) from /etc/letsencrypt/renewal/gbweb.net.conf produced an unexpected error: Some challenges have failed.. Skipping. All renewal attempts failed.
Commonly this is because of a DNS issue. See Bind zone transfer failure for details